The 'Backoff' malware linked to data breaches is spreading

The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa.

By
Jeremy Kirk
| Oct 24, 2014

| IDG News Service

Share

TwitterFacebookLinkedInGoogle Plus

The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa.

The company detected a 57 percent increase between August and September in devices infected with Backoff, which scrapes a computer's RAM for leftover credit card data after a payment card has been swiped, said Brian Foster, Damballa's CTO.

Damballa based its finding on data it collects from its ISP and enterprise customers, who use its traffic analysis products to detect malicious activity.

Damballa sees about 55 percent of internet traffic from North America, including DNS requests, though for privacy reasons it doesn't know the IP addresses of most of those computers, Foster said.

The company runs a Hadoop cluster at its Atlanta headquarters, where it analyzes the DNS requests and classifies them as good or potentially malicious by looking at the servers being contacted.

"We actually attribute the behaviors we see -- as well as the domain names and IP addresses that malware is looking up -- to threat actors and threat groups," Foster said.

"We track a set of domain characteristics and domain names that are related to Backoff, and it's looking at the volume of those lookups that shows us the increase."

The retail industry is struggling to contain attacks targeting payment card data, and RAM-scraping malware has hit big-name companies like Home Depot, Target and Dairy Queen. The Department of Homeland Security warned in August that as many as 1,000 enterprise and small-business networks may be infected with Backoff and not know it.

Damballa has greater visibility into the networks of companies that use its services, Foster said, enabling it to warn those that may be infected. For ISPs that use its services, Damballa can alert them that their customers may have been infected and leave it to the IPSs to pass along the message.

ISPs have become more active about notifying customers, he said. That's been spurred by a desire to avoid government regulation, especially among the larger ISPs, he said. They also want to ensure the performance of their networks, since they increasingly offer high-bandwidth entertainment services.

"They see security as an enabler for a lot of their other business practices," Foster said.